On 3/23, Workday changed their server certificates. For some Workday customers, the new cert's trust chain reaches back to a root cert that is untrusted in (missing from) the Boomi Atom Cloud and some private Atoms.
Here is what the error looks like:
- Log on to your customer's Workday instance, or at least get to the login page.
- Click the padlock icon in your browser to inspect certificate details.
- Discover the root certificate; example circled in green below; your root cert may be different but it will be from DigiCert.
- Go to Atom Management | Certificates | Certificate Authority. Verify that the root cert is in fact missing from your private Atom:
- Go to the DigiCert website and download the root cert you just identified. https://www.digicert.com/digicert-root-certificates.htm#roots
- Save the cert somewhere convenient--you will be typing the path to that cert later on.
- RDP to the private Atom box.
- On the private Atom box, open this file: <Atom Install Folder>\.install4j\pref_jre.cfg. If not present, open inst_jre.cfg instead. This file tells you what JRE the Atom is using.
- Navigate to that JRE path, and get into the folder lib\security; make sure you see the file called "cacerts".
- Run a command prompt as administrator. Navigate to the JRE path, get into the "bin" folder.
- Execute this command, replacing <paths...> with the paths you have just verified in steps above. Also choose a reasonable alias in place of <your alias>
keytool -import -alias <your alias> -file "<path to new downloaded certificate including filename>" -keystore "<path to cacerts including filename>" -storepass changeit
- Answer "y" when prompted if you want to import the certificate.
- Restart the Atom.